Radius + pppoe + address-list - different machines

_Sheriff · January 28, 2011, 8:25pm

Hello.
I have a problem, maybe someone knows how to solve it.
192.168.1.1 - Bandwidth Management (Mikrotik - NAT router)
192.168.1.2 - FreeRADIUS
192.168.1.3 - pppoe-server (Mikrotik - NAS)
10.10.10.2 - the pppoe-client

Internet ----- (192.168.1.1) ---------- (192.168.1.2)
…---------- (192.168.1.3) ---------- (pppoe-client 10.10.10.2)

Everything works fine: freeRadius and NAS and Bandwidth Management.

I want a radius server automatically added the client ip address to “/ ip firewall address-list add address:10.10.10.2 list=super” on the machine 192.168.1.1 (Bandwidth Management)
Is this possible?
At the same time when a customer logs on in machine 192.168.1.3, the IP address is automatically added to the address-list on machine 192.168.1.1

can someone help me?

fewi · January 28, 2011, 8:33pm

http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#MikroTik_Specific_RADIUS_Attribute_Numeric_Values

MIKROTIK_ADDRESS_LIST 14988 19

Send back that attribute, and the user will be added to an address list on 192.168.1.3. Then you can add DSCP/TOS marks to those packets in the firewall mangle facility of that router, and have the router at 192.168.1.1 do its policy based on the DSCP/TOS marks rather than based on an address list.

You cannot add the IP to an address list on 192.168.1.1 via RADIUS because that router isn’t involved in the RADIUS transaction. You may be able to run scripts on the RADIUS server that fire and make calls to 192.168.1.1 via the API and make changes, and FreeRADIUS is certainly flexible enough to do that, but that’s a heck of a lot more work and potentially more fragile. I’d prefer the method I posted. But, again, FreeRADIUS does have postauthentication hooks that let you call scripts after the RADIUS traffic is done, and the API is fully documented and has libraries in many different languages - if you want to go that way.

_Sheriff · January 28, 2011, 11:38pm

You’re right, your way is very good.

just tell me if I’m good reasoning.

rules on the 192.168.1.3 should look like this?
which is correct? or completely different?

The rules on the server NAT look like?

I think in the right direction?

fewi · January 29, 2011, 12:49am

I find it hard to tell from that what is going on. Can you post the relevant text configuration exported and wrapped in code tags? Screenshots may not show all relevant columns, etc.

_Sheriff · January 29, 2011, 2:55pm

192.168.1.3

add action=mark-connection chain=forward disabled=no new-connection-mark=BROWN passthrough=yes src-address-list=BROWN
add action=mark-connection chain=forward disabled=no dst-address-list=BROWN new-connection-mark=BROWN passthrough=yes
add action=mark-packet chain=forward connection-mark=BROWN disabled=no in-interface=LAN new-packet-mark=BROWN-u passthrough=no
add action=mark-packet chain=forward connection-mark=BROWN disabled=no new-packet-mark=BROWN-d passthrough=no
add action=change-dscp chain=forward new-dscp=1 src-address-list=BROWN
add action=change-dscp chain=forward dst-address-list=BROWN new-dscp=1
add action=change-dscp chain=forward connection-mark=BROWN in-interface=LAN new-dscp=1
add action=change-dscp chain=forward connection-mark=BROWN new-dscp=1

192.168.1.1

add action=mark-connection chain=forward dscp=1 new-connection-mark=BROWN passthrough=yes
add action=mark-packet chain=forward connection-mark=BROWN in-interface=LAN new-packet-mark=BROWN-u passthrough=no
add action=mark-packet chain=forward connection-mark=BROWN new-packet-mark=BROWN-d passthrough=no

fewi · January 29, 2011, 3:57pm

Sort of.

.3:

add action=mark-connection chain=forward disabled=no new-connection-mark=BROWN passthrough=yes src-address-list=BROWN
add action=mark-connection chain=forward disabled=no dst-address-list=BROWN new-connection-mark=BROWN passthrough=yes
add action=change-dscp chain=forward connection-mark=BROWN new-dscp=1 passthrough=yes
add action=mark-packet chain=forward connection-mark=BROWN disabled=no in-interface=LAN new-packet-mark=BROWN-u passthrough=no
add action=mark-packet chain=forward connection-mark=BROWN disabled=no new-packet-mark=BROWN-d passthrough=no

That is only assuming you actually need packet marks on that router. If not, drop the last two rules.

The other router looks right.

_Sheriff · January 31, 2011, 12:42pm

Can you tell me how to add this parameter to the list in freeradius?
I added only to the file: /usr/share/freeradius dictionary.mikrotik

ATTRIBUTE Mikrotik-Address-List 19 string

is it enough?

fewi · January 31, 2011, 3:19pm

Should be, yes.

kuklei · November 3, 2011, 11:32pm

Can someone shed a light on this. Looks complicated to me and the solutions are hardly understandable by novices.

I would like to add a user upon authenticated in freeradius to a certain address-list on mikrotik so that I can do HTB queues instead of the simple queues that freeradius does, for the purpose of traffic shaping and limitation.

Thanks

heviejob · August 17, 2015, 7:08pm

Am also looking for this solution.

Kamaz · May 6, 2019, 12:46pm

How to assign PPTP user in Freeradius with Mikrotik’s adress-list ?
I’m using Mysql+Freeradius.

I’ve tried to add data to radreply
INSERT INTO radius.radreply (username, attribute, op, value) VALUES (‘user1’, ‘Mikrotik-Address-List’, ‘:=’, ‘remote_managers’);
but I can see in Log that Mikrotik get Mikrotik-Address-List from Freeradius:

but there is no new group “remote_managers” after connection to PPTP.